Skip to content

manual security hooks v1.7 #7

New issue
New issue
Open
Open
manual security hooks v1.7#7
Labels
documentationImprovements or additions to documentation
@backslashxx

Description

@backslashxx
backslashxx
opened on Mar 4, 2025

This requires building this tree's KernelSU kernel driver with CONFIG_KSU_LSM_SECURITY_HOOKS=n
This is so that we can replace those automated lsm hooks with manually hooked ones.

This is mostly meant for 3.0 ~ 3.18 builds.

This is due to missing LSM_HOOK_INIT, security_add_hooks and the whole subsystem on older kernels.

but yes, it also does work on newer kernels.

Also useful for 6.8 and beyond due to this

--- a/security/security.c
+++ b/security/security.c
@@ -132,6 +132,19 @@ int __init register_security(struct security_operations *ops)
 	return 0;
 }
 
+#ifdef CONFIG_KSU
+extern int ksu_bprm_check(struct linux_binprm *bprm);
+extern int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry);
+extern int ksu_handle_setuid(struct cred *new, const struct cred *old);
+#endif
+
 /* Security operations */
 
 int security_binder_set_context_mgr(struct task_struct *mgr)
@@ -238,7 +251,9 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
 int security_bprm_check(struct linux_binprm *bprm)
 {
 	int ret;
-
+#ifdef CONFIG_KSU
+	ksu_bprm_check(bprm);
+#endif
 	ret = security_ops->bprm_check_security(bprm);
 	if (ret)
 		return ret;
@@ -545,6 +563,9 @@ int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode,
 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
 			   struct inode *new_dir, struct dentry *new_dentry)
 {
+#ifdef CONFIG_KSU
+	ksu_handle_rename(old_dentry, new_dentry);
+#endif
         if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
             (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
 		return 0;

@@ -879,6 +903,9 @@ int security_kernel_module_from_file(struct file *file)
 int security_task_fix_setuid(struct cred *new, const struct cred *old,
 			     int flags)
 {
+#ifdef CONFIG_KSU
+	ksu_handle_setuid(new, old);
+#endif
 	return security_ops->task_fix_setuid(new, old, flags);
 }

NOTE:

  • These hooks are made for the driver on THIS REPO. These hooks working on others are not assured.

changes:

v1.1 - added ksu_sb_mount manual hook
v1.2 - added ksu_inode_permission manual hook
v1.3 - added ksu_bprm_check manual hook
v1.4 - removed ksu_sb_mount in favor of userspace sending it
v1.5 - remove ksu_inode_permission in favor of userspace devpts workaround
v1.6 - remove ksu_handle_prctl due to new sys_reboot + ioctl from upstream
v1.7 - remove ksu_key_permission, this is now migrated to bprm. a dummy will be kept for 2 months (251117)

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions